[systemd-devel] File corruption detected (journalctl --verify --verify-key)

Mikhail Morfikov mmorfikov at gmail.com
Mon Feb 9 17:27:33 PST 2015 

Hello there! I just wanted to ask about the sealing log feature because I can't make it work. I tried to set it up in the following way:

I stopped the journald service:

root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl stop systemd-journald-dev-log.socket
root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl stop systemd-journald-audit.socket
root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl stop systemd-journald.socket
root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl stop systemd-journald.service

Then I removed all files from the journal directory:

root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# rm -R *

Then next thing was to change the config file:

# egrep -v "^#" /etc/systemd/journald.conf
[Journal]
Storage=persistent
Compress=yes
Seal=yes
SplitMode=login
SyncIntervalSec=10m
RateLimitInterval=10s
RateLimitBurst=500
SystemMaxUse=300M
SystemMaxFileSize=16M
RuntimeMaxUse=16M
RuntimeMaxFileSize=8M
MaxFileSec=2week
ForwardToSyslog=no
ForwardToKMsg=no
ForwardToConsole=no

Then I generated the keys:

root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# journalctl --setup-keys --interval=60s
Generating seed...
Generating key pair...
Generating sealing key...

The new key pair has been generated. The secret sealing key has been written to
the following local file. This key file is automatically updated when the
sealing key is advanced. It should not be used on multiple hosts.

        /var/log/journal/159815709bbc46c29ef786cfc497afd4/fss

Please write down the following secret verification key. It should be stored
at a safe location and should not be saved locally on disk.

        4d1177-5d7b1f-c524c8-36150a/16a05bc-3938700

The sealing key is automatically changed every 1min.

The keys have been generated for host morfikownia/159815709bbc46c29ef786cfc497afd4.

root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# ls -al
total 12K
drwxr-sr-x+ 2 root systemd-journal 4.0K 2015-02-10 02:00:52 ./
drwxr-sr-x+ 3 root systemd-journal 4.0K 2015-02-03 01:25:36 ../
-rw-------+ 1 root systemd-journal  482 2015-02-10 02:00:52 fss

Then I started the service:

root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl start systemd-journald.socket
root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl start systemd-journald-dev-log.socket
root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl start systemd-journald-audit.socket
root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl start systemd-journald.service

root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# systemctl status systemd-journald.service
● systemd-journald.service - Journal Service
   Loaded: loaded (/lib/systemd/system/systemd-journald.service; static; vendor preset: enabled)
   Active: active (running) since Tue 2015-02-10 02:03:14 CET; 6s ago
     Docs: man:systemd-journald.service(8)
           man:journald.conf(5)
 Main PID: 15359 (systemd-journal)
   Status: "Processing requests..."
   CGroup: /system.slice/systemd-journald.service
           └─15359 /lib/systemd/systemd-journald

Feb 10 02:03:14 morfikownia systemd-journal[15359]: Permanent journal is using 8.0M (max allowed 300.0M, trying to leave 1…00.0M).
Feb 10 02:03:14 morfikownia systemd-journal[15359]: Journal started
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
Hint: Some lines were ellipsized, use -l to show in full.

root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# ls -al
total 8.1M
drwxr-sr-x+ 2 root systemd-journal 4.0K 2015-02-10 02:03:14 ./
drwxr-sr-x+ 3 root systemd-journal 4.0K 2015-02-03 01:25:36 ../
-rw-------+ 1 root systemd-journal  482 2015-02-10 02:03:14 fss
-rw-r-----+ 1 root systemd-journal 8.0M 2015-02-10 02:03:14 system.journal

And here's the thing -- before sealing, there's no problem with the log file:

root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# journalctl --verify --verify-key  4d1177-5d7b1f-c524c8-36150a/16a05bc-3938700
PASS: /var/log/journal/159815709bbc46c29ef786cfc497afd4/system.journal
=> No sealing yet, 1.794ms of entries not sealed.

But after the sealing:

root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# journalctl --verify --verify-key  4d1177-5d7b1f-c524c8-36150a/16a05bc-3938700
0747c0: tag failed verification
File corruption detected at /var/log/journal/159815709bbc46c29ef786cfc497afd4/system.journal:0747c0 (of 8388608 bytes, 5%).
FAIL: /var/log/journal/159815709bbc46c29ef786cfc497afd4/system.journal (Bad message)

I checked the journal in order to see what's in there:

root:/var/log/journal/159815709bbc46c29ef786cfc497afd4# journalctl
-- Logs begin at Tue 2015-02-10 02:03:14 CET, end at Tue 2015-02-10 02:03:14 CET. --
Feb 10 02:03:14 morfikownia systemd-journal[15359]: Permanent journal is using 8.0M (max allowed 300.0M, trying to leave 1.7G f
Feb 10 02:03:14 morfikownia systemd-journald[259]: Received SIGTERM from PID 1 (systemd).
Feb 10 02:03:14 morfikownia systemd-journal[15359]: Journal started

And that's pretty much it.

I don't know why this isn't working, and it's always the same thing. No matter what I try, it always fails to verify the log file.

I used the following versions (both of them):

# apt-cache policy systemd
systemd:
  Installed: 218-7
  Candidate: 218-7
  Package pin: 218-7
  Version table:
 *** 218-7 995
        130 http://ftp.pl.debian.org/debian/ experimental/main amd64 Packages
        100 /var/lib/dpkg/status
     215-11 995
        500 http://ftp.pl.debian.org/debian/ sid/main amd64 Packages

Any ideas?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150210/3d394f49/attachment.sig>

More information about the systemd-devel mailing list